Privacy implications of tracking individuals' navigation throughout stores or facilities

As customer centric marketing strategies are on the rise, more and more business operators (e.g. retailers, airports, train stations and hotels) have started using mobile location analytic solutions ("MLA") to analyse customer behaviour within their facilities.

How it Works

By installing MLA technologies, businesses can measure the number of people that walk past or enter their facilities, the repeat visits and dwelling times of customers within the monitored areas. To do so, sensors located in the monitored areas capture unique identifiers (e.g. MAC address, UID, name of the device) emitted by visitors' or passers-by' mobile or tablet devices.

Legal Issues of Location Analytics

Depending on the country where such solutions are rolled out, different pieces of legislation can come into play.

In the U.S., businesses might find themselves subject to Children's Online Privacy Protection (COPPA) obligations if they were to collect, use or disclose information from childrens' mobile or tablet devices. It is also worth noting that a self-regulatory Code of Conduct (the "Code") is offered to MLA U.S. providers who can voluntarily choose to comply with the Code, so as to demonstrate their commitment to protecting individuals' privacy. By choosing to adhere with the Code, MLA providers and their corporate clients are promising to: (i) have conspicuous signage to inform individuals about the collection and use of their relevant data, and to provide a detailed privacy notice; (ii) ensure that the collected data is limited to that necessary to produce such analytics; (iii) provide individuals with a choice to opt out from having their data collected; (iv) ensure that the collected data is used only to analyse individuals' behaviour, and not for any other purposes; (iv) ensure that any third party complies with the Code (if the data is shared with a third party); (v) implement internal policies to regulate data retention and deletion; and (vi) participate in educating individuals and to develop a standard symbol to indicate when MLA data is collected.

In the European Union, the well-established Data Protection Directive and its member states' data protection implementing legislation are likely to apply. This will depend upon the type of data being captured and kept by the organisation in collaboration with its MLA provider. It is important to note that many EU data protection authorities (i.e. regulators in charge of enforcement data protection obligations) are currently interested in this issue. By way of illustration, the French watchdog (i.e. the CNIL) recently issued guidelines on this topic including details on anonymisation techniques, the duty to inform individuals, and possible filing obligations (i.e. organisations may have to: (i) register such processing MLA activities with the CNIL; or (ii) obtain CNIL's prior authorisation – this depends on the type of MLA technology being used).

In the Asia-Pacific, the increasing number of countries with general and comprehensive data protection legislation (e.g. Singapore, Australia, South Korea, Japan, Hong Kong, Malaysia, Taiwan, etc.) is likely to affect organisations' MLA ambitions. Again, the applicability of such data protection legislation will depend on the type of data being captured and kept by the organisation in collaboration with its MLA provider.

What do organisations need to do?

The increasing interest from individuals, privacy regulators and consumer associations regarding this topic makes it vital for organisations willing to embrace MLA technologies to address any legal implications at the very beginning of the project. The following recommendations and steps should be considered:

List the countries to be involved: this is an important preliminary step to identify which legislation your organisation might be subject to.

Scope the project: exhaustively identify the data being collected, whether anonymisation techniques will be used and produce a list of the recipients whose data is being collected.

run a due diligence: gauge the provider's knowledge of the legal implications and look for evidence of possible certification, policies or adherence to relevant codes of conduct; and

carefully review the contemplated service agreement: in addition to the usual contractual points of attention, pay attention to data protection and privacy wording, clarify who has the ownership over the collected data, insert audit provisions and think about data portability and non-proprietary format.